visa usa presentation template and user guide · 2009-07-16 · • use of legacy operating system...

1

AIS Webinar Payment Application Security

Hap Huynh Business LeaderVisa Inc.

1 April 2009

2Payment Application Security | 1 April 2009

Agenda

• Security Environment

• Payment Application Security Overview

• Questions and Comments

3

Security Environment

4Payment Application Security | 1 April 2009 4

Data Security is a Hot Media Topic


223

208

217

184

181

175

Brazil

Germany

Hong Kong

Malaysia

Spain

US

Security EnvironmentFears about identity theft and financial fraud are top global concerns for consumers, according to the latest results of the Unisys Security Index. – Identity theft is the primary security concern cited among respondents in nine out of 14

countries, while misuse of credit or debit card information ranks as the first or second greatest fear in 12 out of the 14 countries.

Countries that identified card fraud as a serious concern:

Source: Unisys Security Index, Unisys Inc., December 2008


Today's Targets

• Hackers are attacking: – Brick-and-mortar merchants

– Issuers

– E-commerce merchants

– Processors and Agents

• Hackers are looking for:– Software that stores sensitive cardholder data

– Personal information to perpetrate identity theft

– Track data and payment account numbers

– PINs


What are Criminals Doing? • Stealing payment card information from retailers, agents, clients,

ATMs and other sources with security vulnerabilities

• Organizing and selling stolen account information in online markets known as “Carder” sites:

“I sell the freshest DUMPS, they are mostly USA, some EU and Asia.”

“You can choose your favorite BINs from over 300…”

• Committing fraud attacks

Account numberand CVV2

Gold/Plat/Corptrack data

Complete counterfeitGold plastic

Track dataand PIN

$1 $30

Classic track data

$15 $250 Revenue Share

Semi-finishedblank plastic

$80-$100No Plastic No PlasticNo Plastic White-Plastic Finished Finished

* Source: The United States Secret Service

Estimated market value of compromised accounts*


– Purchases data or plastic– Creates counterfeit cards– Performs fraudulent purchases– Resells data or plastic

– Vets potential buyers

– Arranges payments

– Takes leftovers from cleansers

– Breaks encrypted data

– Tries to crack encryption and PIN blocks

– Responsible for data preparation

– Sorts by BIN, product, country etc.

– Tests data for authorizations, limits and weak authorization parameters

– Looks for zero day exploits and other vulnerabilities– Conducts wide-range scanning, looking for systems / POS / databases that are vulnerable– Scans / probes specific targets– Steals account information

Customer/Reseller

Seller Cracker

Data Cleanser/Aggregator

Recon/Hacker

Organized crime uses business-like structure and separates duties…

Sophisticated and Well Organized


Vulnerabilities Resulting in Security Breaches

• Integrated Point of Sale (POS) systems connected directly to the Internet

• Insecure network configuration

• Insecure remote access configuration

• Use of default user ID and password

• Use of legacy operating system

• Lack of current patches

• No anti-virus protection

• Lack of logging and monitoring

• Malware

Vulnerabilities


Impact of Data Compromises

• Notification/disclosure requirements

• Brand/reputation damage

• Loss of business/consumer confidence

• Financial liabilities– Compromised entity

– Visa clients

• Litigation

• Government intervention/legislation


Cardholders ARE Concerned

Which ONE of the following is your MOST frequent concern when it comes to using credit cards?

Nearly three quarters of the most frequent concerns given when it comes to using credit cards are related to security. – By a wide margin the top concern is identity theft followed by fraudulent transactions,

accumulation of debt, and information stored by the merchant.

2%

2%

4%

14%

14%

19%

40%

1%

2%

3%

15%

14%

16%

43%

Your card may be declined

The store doesn’t accept your card brand

You might be charged a transaction fee

You may be accumulating too much debt

That your personal information may bestored by the merchant

That your card may be used to make afraudulent transaction

That you may become a victim of identity theft

Feb'09 Dec'07

73% Security Related

Source: Security and Fraud: National Survey of Cardholders, Fabrizio, McLaughlin & Assoc., February 2009; December 2007


Incident Response Procedures Immediate Action Steps1. Isolate the compromised or suspected compromised systems

– Take “offline” and store securely; Do not “rebuild” and continue to use

– Ensure controls are in place to limit further damage

2. Determine the scope of the compromise or breach

– Was cardholder data compromised?

– Was sensitive authentication data or full track data included?

3. Contact your merchant bank or Visa within 24 hours

– Visit AIS website and download the What to Do If Compromised document

4. Engage a Visa approved Qualified Incident Response Assessor

– Assessor will assist in determining what type and how much data was compromised

13

Payment Application Security Overview


Payment Application Security

Drive the adoption of secure payment applications that do not store prohibited data• Visa’s PABP published in 2005

– Provide vendors guidance to develop products that facilitate Payment Card Industry Data Security Standard (PCI DSS) compliance

– Minimize compromises caused by insecure payment applications with emphasis on track data storage

• List of validated payment applications published monthly since January 2006

– 555 products across 254 vendors independently validated by a Qualified Security Assessor (QSA)

– List of PABP-validated applications published at www.visa-asia.com/padss

– List of vulnerable payment applications published quarterly since February 2007

• PABP adopted by PCI SSC as an industry standard, PA-DSS in April 2008

http://www.visa-asia.com/padss


Payment Application Data Security StandardPCI SSC adopts PABP as the PA-DSS in April 2008

• PCI SSC is responsible for:– Maintaining and updating the PA-DSS and related documentation

– Qualifying and training Payment Application Qualified Security Assessors (PA-QSAs) to perform PA-DSS assessments

– Being a single point of repository for PA-DSS Reports of Validation (ROVs)

– Performing quality assurance reviews of PA-DSS ROVs to confirm report consistency and quality

– Listing PA-DSS validated payment applications on the PCI SSC website

• Visa will continue to:– Work with PCI SSC for potential enhancements to address emerging risks

– Maintain a list of vulnerable payment applications that are known to store prohibited data

– Promote payment applications that support PCI DSS compliance


Payment Application Data Security StandardPayment applications that support PCI DSS compliance

1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data

2. Protect stored cardholder data

3. Provide secure authentication features4. Log payment application activity

5. Develop secure payment applications6. Protect wireless transmissions

7. Test payment applications to address vulnerabilities8. Facilitate secure network implementation

9. Cardholder data must never be stored on a server connected to the Internet10. Facilitate secure remote software updates

11. Facilitate secure remote access to payment application12. Encrypt sensitive traffic over public networks13. Encrypt all non-console administrative access14. Maintain instructional documentation and training programs for customers, resellers,

and integrators


PA-DSS: Scope

Software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.Page 6, PA-DSS version 1.2


PA-DSS Applicability

Type of application Does PA-DSS apply?

“Off-the-shelf” standard payment applications without much customization

YES

Software developed in modules YES, applies to any module with payment functions

For hardware terminals YES, unless terminal meets specific criteria

Software for only one, typically large customer, developed to customer’s specifications

NO, application is covered as part of customer’s Payment Card Industry Data Security Standard (PCI DSS) assessment

Software developed by merchant or service provider and used only in-house

NO, application is covered as part of merchant’s or service provider’s PCI DSS assessment

Supporting systems, for example, operating systems, databases, back- office systems, firewalls, routers, etc.

NO, these are NOT payment applications


Applicability for Hardware Terminals

• PA-DSS does not apply only if all of these items are true:

– The terminal has no connections to any of the merchant’s systems or networks

– The terminal connects only to the acquirer or processor

– The vendor provides secure remote:

• Updates

• Troubleshooting

• Access

• Maintenance

– Sensitive authentication data is never stored after authorization


Cardholder Data: Important Concepts

1. These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.

2. Do not store sensitive authentication data after authorization (even if encrypted).

3. Full track data from the magnetic stripe, magnetic-stripe image on the chip, or elsewhere.

Data Element Storage Permitted

Protection Required

PCI DSS Req. 3.4

Cardholder Data Primary Account Number

YES YES YES

Cardholder Name1 YES YES1 NO

Service Code1 YES YES1 NO

Expiration Date1 YES YES1 NO

Sensitive Authentication Data2

Full Magnetic Stripe Data3

NO N/A N/A

CAV2/CID/CVC2/CVV2 NO N/A N/A

PIN/PIN Block NO N/A N/A


PA-DSS List of Validated Applications

• The PCI SSC has assume the management of the list of validated payment applications at PCI SSC’s website www.pcisecuritystandards.org

• PCI SSC has a process to transfer or “grandfather” payment applications validated against the PABP to the PA-DSS

– Listed with an expiration indicating a mandatory date for revalidation under PA-DSS

– PABP validation documents were to be provided to Visa by September 15, 2008 and transitioned to the PCI SSC list

– If PABP validation was not accepted by November 30, 2008, the application would undergo the PCI SSC’s PABP to PA-DSS Transition Procedures in order to be listed

• Visa is committed to working with the PCI SSC to ensure a successful transition of PABP to the PA-DSS

http://www.pcisecuritystandards.org/


Payment Application Vendor’s Role

• Create PA-DSS compliant applications that facilitate and do not prevent a customer’s PCI DSS compliance

• Create a PA-DSS Implementation Guide, specific to each application and educate customers, resellers, and integrators on how to install and configure the payment application in a PCI DSS compliant manner

• Alert the PCI SSC and Visa if a vulnerability is identified for the payment application and of the recommended fix/patch to ensure the safety and soundness of the payment system

Cardholder data security is a shared responsibility and all participants must do their part to prevent fraud


Integrator and Reseller’s Role• Must implement security requirements as instructed by the vendor’s

PA-DSS implementation guide and training

• When installing payment applications, protect customers by following strict security requirements, including but not limited to:– Remote management software should be disabled, removed and not used

unless necessary and required (e.g., VNC, PCAnywhere, Remote Desktop, SSH, LogMeIn, WebEx, etc.)

• If necessary, ensure appropriate security controls are implemented to prevent unauthorized access

– Do not use system default settings and do not re-use the same usernames or passwords for payment applications or any system across multiple customers

– Advise customers to implement a properly-configured firewall to protect the payment environment from unauthorized access

– Instruct customers to maintain the latest security patches for the payment application, including the operating system and other necessary software


Reference Tools

PCI SSC– PCI Data Security Standard– PIN Entry Devices Program– Payment Application Data Security

Standard– Security Audit Procedures– Self-Assessment Questionnaires– Security Scanning Procedures– Qualified Security Assessor List– Approved Scan Vendor List– Glossary of Terms

Visa AIS– What To Do If Compromised guide– List of PCI DSS-Compliant Service

Providers (Registry of Service Providers)

– List of PABP-Validated Payment Applications

www.visa-asia.com/secured

www.visa-asia.com/padss

[email protected]

http://www.pcisecuritystandards.org/

visa usa presentation template and user guide · 2009-07-16 · • use of legacy operating system...

Documents